Monday, November 3, 2014

There may come a time when you have rev.1 and rev.2 hardware of a particular platform that you're trying to form an HA cluster with. To successfully accomplish this you need to tell the firewall to ignore the difference in hardware revision.

In FortiOS 4.3 and earlier:
config system global
set ignore-hardware-revision enable
end

The newly announced Bash / Shellshock vulnerability is document in CVE2014-6271.

Here are IPS rules for immediate manual deployment. Fortinet has already generated
a new IPS signature, Bash.Function.Definitions.Remote.Code.Execution, which will be released in the next few hours after it has passed the QA testing process.

Fortigate firewalls do NOT use Bash and are not vulnerable to this exploit. The rules below can be used to filter traffic destined for devices protected by the firewall.

Monday, September 15, 2014

By default smaller Fortigate units such as the 60D or 90D series combine their interfaces into a virtual switch. Via a configuration change all ports can be assigned to their own broadcast domains. This is useful for example if you want to configure a number of different trunk ports.

By default the firewalls are also configured with basic policies that permit and NAT outbound traffic as well as a DHCP server. These configurations need to be cleared before the switch mode can be changed.

#config firewall policy#purge

This operation will clear all table!
Do you want to continue? (y/n) y

#end
#config system dhcp server#purge

This operation will clear all table!
Do you want to continue? (y/n) y

#end#config system global #set internal-switch-mode interface #end

Changing switch mode will reboot the system!
Do you want to continue? (y/n) y

Wednesday, August 27, 2014

When setting up a new FortiGate you tend to receive a lot of logs for traffic destined to 255.255.255.255 (aka the global broadcast address) or x.x.x.255 (your local subnet broadcast address). To reduce clutter and have the firewall drop these broadcasts silently use:

Tuesday, July 29, 2014

In FortiOS 5.2 and higher you can dedicate one of the CPUs for management access, in other words GUI and CLI access. If the system is running under extremely high loads this will guarantee access to management functions.

This feature is available in 2U firewalls and blades only that have multiple CPUs.

Thursday, May 15, 2014

If you have a local certificate on the Fortigate and the original
certificate request (csr) was generated on the Fortigate then the
private key resides on the Fortigate and you need to export this in
order to install your signed certificate on another server.
The problem with the Fortigate certificate export feature is that it
will only export the signed certificate (which you likely already have
stored somewhere). The private key is stored in the configuration backup
file however it is encrypted with an unknown password.
Luckily there is a workaround available, you can unset the private
key password via CLI then back up your configuration file where you’ll
find the private key available for use.

config vpn certificate localshow

This will give you a list of the local certificates. Next edit the desired certificate and unset the password

edit testcertunset passwordend

Now when you back up your Fortigate configuration you’ll find the signed certificate as well as the private key.

Look for the following line:

set private-key "-----BEGIN RSA PRIVATE KEY-----

Copy everything between (and including)

-----BEGIN RSA PRIVATE KEY-----
and-----END RSA PRIVATE KEY-----

into a text file.. This is your private key that can be used with the signed certificate to be imported into another server.

Tuesday, April 8, 2014

Sometimes it can be useful to export and analyze rules in a CSV type format. This comes in especially handy when working with long and complex firewall policies.

I came across the perl script below that takes firewall policies from a text file and performs the CSV conversion for you.

Syntax: csvparse.pl rules.txt

<rules.txt> should be in the following format:

config firewall policy
edit 1
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set logtraffic-app disable
set webcache enable
set nat enable
next
end

Wednesday, March 5, 2014

VDOMs have quite a number of dependencies that need to be deleted before you can get rid of the VDOM itself. Below is a useful little script that goes through all the sections and purges them so the VDOM can be deleted. Adjust it as needed.

## This script needs to be run interactively. In other words you cannot copy and paste the whole script. You have to acknowledge each purge command.
## Purge all VDOM specific configuration

Thursday, February 27, 2014

When you replace firewall hardware that's reporting into a FortiAnalyzer due to an RMA or other failure it's important to make sure you update FortiAnalyzer with the new serial number of the device. Use the following command on the FAZ:

Thursday, February 20, 2014

I have to admit I'm pretty spoiled when it comes to IPAM. In my previous role I was working with Bluecat Address Manager and loved it. Probably the best purchase order we ever issued :)

For my lab setup I didn't want to drop $30k so I set out looking for a free and open source IPAM tool. My former tool of choice was IPPlan. This hasn't been updated in several years though and IPv6 support is pretty basic.

So over the last few days I have been testing PHPIpam and I have to say I'm very impressed. Not only does it have a really "sexy" web interface but functionally it is very, very closed to what I'm used to from Bluecat.

Thursday, February 13, 2014

If you are deploying FortiClient for a large number of users, chances are you'll probably create a master build and image that to the drives you are installing in your machines.
One of the things to keep in mind is that when you install FortiClient it creates a unique UID.

So before you start copying your master build, follow these steps to remove the unique UID. Each individual machine will create a new UID on first use if one doesn't already exist.

To include a FortiClient installation in a hard disk image

Download the FortiClient tools from the Fortinet Support Site. The tools are located in the same folder as the FortiClient installer files.

Using an MSI FortiClient installer, install and configure the FortiClient application to suit your requirements. You can use a standard or a customized installation package.

Right-click the FortiClient icon in the system tray and select Shutdown FortiClient.

From the folder where you expanded the FortiClientTools.zip file, run RemoveFCTID.exe. The RemoveFCTID tool requires administrative rights.

Shut down the computer.

IMPORTANT! Do not reboot the Windows operating system on the computer before you create the hard disk image. The FortiClient identifier is created before you log on.